Re: [pkix] Derived Credentials. Was: Simple Certificate Enrollment Protocol (SCEP)
Peter Gutmann <pgut001@cs.auckland.ac.nz> Thu, 13 November 2014 20:14 UTC
Return-Path: <pgut001@cs.auckland.ac.nz>
X-Original-To: pkix@ietfa.amsl.com
Delivered-To: pkix@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 14F521ACF6F for <pkix@ietfa.amsl.com>; Thu, 13 Nov 2014 12:14:58 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -4.794
X-Spam-Level:
X-Spam-Status: No, score=-4.794 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, RCVD_IN_DNSWL_MED=-2.3, RP_MATCHES_RCVD=-0.594] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id DToTbJW5fjYB for <pkix@ietfa.amsl.com>; Thu, 13 Nov 2014 12:14:51 -0800 (PST)
Received: from mx2.auckland.ac.nz (mx2.auckland.ac.nz [130.216.125.245]) (using TLSv1 with cipher RC4-SHA (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id B7C541ACF0E for <pkix@ietf.org>; Thu, 13 Nov 2014 12:14:35 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=simple/simple; d=auckland.ac.nz; i=@auckland.ac.nz; q=dns/txt; s=uoa; t=1415909676; x=1447445676; h=from:to:subject:date:message-id: content-transfer-encoding:mime-version; bh=UVPcA6YBRMabB+y/hdPTigMg2qYh3VvVOOPQ33U/tq4=; b=L7e0HWy966wwsjVFw9a1Kknd0HQ95vSwEbx7dsnrwXAtH23g40b9DGMk 61S9UAOm8Xe/dHa2Jkt3jR/RoyfNQxmpMMxARgCEDVwrtLEF6Gmg8r6mc mu/YWCi2ZBioXRTnIn9UNepjxeBnAcpqIxiOYEhfZyzuXIQyCilYOVITE 8=;
X-IronPort-AV: E=Sophos;i="5.04,630,1406548800"; d="scan'208";a="290941075"
X-Ironport-HAT: MAIL-SERVERS - $RELAYED
X-Ironport-Source: 130.216.4.125 - Outgoing - Outgoing
Received: from uxchange10-fe3.uoa.auckland.ac.nz ([130.216.4.125]) by mx2-int.auckland.ac.nz with ESMTP/TLS/AES256-SHA; 14 Nov 2014 09:14:28 +1300
Received: from UXCN10-TDC05.UoA.auckland.ac.nz ([169.254.9.139]) by uxchange10-fe3.UoA.auckland.ac.nz ([169.254.143.234]) with mapi id 14.03.0174.001; Fri, 14 Nov 2014 09:14:27 +1300
From: Peter Gutmann <pgut001@cs.auckland.ac.nz>
To: IETF PKIX <pkix@ietf.org>
Thread-Topic: [pkix] Derived Credentials. Was: Simple Certificate Enrollment Protocol (SCEP)
Thread-Index: Ac//fmxfqQiFUD0LSQK0mW50BD0pEw==
Date: Thu, 13 Nov 2014 20:14:26 +0000
Message-ID: <9A043F3CF02CD34C8E74AC1594475C739B9EC113@uxcn10-tdc05.UoA.auckland.ac.nz>
Accept-Language: en-NZ, en-GB, en-US
Content-Language: en-NZ
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
x-originating-ip: [130.216.158.4]
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0
Archived-At: http://mailarchive.ietf.org/arch/msg/pkix/l6tkzCZKBL7mSvPw1Y2PVcDUD9A
Subject: Re: [pkix] Derived Credentials. Was: Simple Certificate Enrollment Protocol (SCEP)
X-BeenThere: pkix@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: PKIX Working Group <pkix.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/pkix>, <mailto:pkix-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/pkix/>
List-Post: <mailto:pkix@ietf.org>
List-Help: <mailto:pkix-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/pkix>, <mailto:pkix-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 13 Nov 2014 20:14:58 -0000
Johannes Merkle <johannes.merkle@secunet.com> writes: >Anders Rundgren wrote on 12.11.2014 10:25: >> On 2014-11-12 10:03, Max Pritikin (pritikin) wrote: >>> Anders - both of these requirements can be met by these protocols. >> >> AFAICT, end-to-end security with respect to the *key-container* is outside of all >> PKIX enrollment protocols. No CMS (Card Management System) use CMP, SCEP, EST >> directly, they use other protocols for actual token provisioning/initialization. > >This is not correct. I have participated in the implementation of two Card >Management Systems that use CMP for smart card initialization and >provisioning. Both are operative, the first one managing over 8 million cards, >the second one over 60.000. Same here, for HSMs. Peter.
- Re: [pkix] Derived Credentials. Was: Simple Certi… Peter Gutmann
- Re: [pkix] Derived Credentials. Was: Simple Certi… Anders Rundgren
- Re: [pkix] Derived Credentials. Was: Simple Certi… Anders Rundgren